Engineering Compliance. Not Afterthought.
Automated HIPAA Security Rule (§164.312) gap assessments for AWS environments — built by engineers, for engineers who care about security.
- What Is This? (Plain English)
- Why I Built This
- Problem vs. Solution
- How It Works
- HIPAA Controls Covered
- Risk Scoring Methodology
- Tech Specs
- Security First
- Quick Start
- Sample Output
- CI/CD Integration
- Roadmap
- About the Builder
- Disclaimer
- License
Imagine you're responsible for a healthcare application that stores patient medical records in Amazon Web Services (AWS). You've heard about HIPAA — the law that protects patient health information — and you know your system needs to comply with it.
HIPAA Sentinel is a security tool that automatically checks whether your AWS setup follows HIPAA rules.
It runs a series of checks (we call them "controls") against your cloud infrastructure — things like:
- Are your storage buckets encrypted? ✓
- Is multi-factor authentication enabled for all admin accounts? ✓
- Are audit logs turned on to track who accessed what? ✓
- Are your databases protected from the public internet? ✓
After running, it gives you two reports:
- Gap Report (JSON) — For your technical team, showing exactly what failed and how to fix it
- Executive Summary (Markdown) — For leadership, showing your compliance score in plain English
You can run it manually, or automatically every time you deploy code to catch problems early.
I built HIPAA Sentinel because I got tired of seeing the same pattern play out over and over in healthcare organizations.
Here's what usually happens: A startup lands their first healthcare client. They spin up AWS. They store patient data. Then someone asks, "Are we HIPAA compliant?" and the answer is usually "We think so."
Six months later, they're staring down a potential breach notification, a OCR audit letter, or worse — a ransomware attack that exploited a misconfigured S3 bucket. The CFO is asking why no one caught this earlier. The answer is always the same: we didn't have a way to continuously verify our controls.
Traditional compliance approaches fail for one reason: they're periodic, not continuous. You hire a consultant, they spend two weeks auditing your environment, they produce a PDF, and then that PDF sits in a drawer until next year's audit. In between? Nothing. Your environment changes daily. Your compliance posture shouldn't be a yearly snapshot.
I built HIPAA Sentinel because I believe:
- Compliance should be continuous, not point-in-time. If you can't verify your controls daily, you're flying blind.
- Engineers should own security, not abdicate it. Giving a CISO a PDF doesn't make your systems secure. Giving engineers automated checks does.
- Security tools should be run by the same people who deploy code. If your CI/CD pipeline can catch a missing semicolon, it should also catch a missing encryption key.
This tool isn't about replacing compliance professionals — it's about giving engineers the ammunition to demonstrate they're building secure systems from day one.
| Aspect | Manual Audit Approach | HIPAA Sentinel Approach |
|---|---|---|
| Time to Assess | 2–4 weeks per audit | 30–60 seconds per run |
| Frequency | Annual or semi-annual | On-demand or per-deploy |
| Coverage | Sampled controls | All implemented controls |
| Cost | $15,000–$50,000+ per audit | Free (open source) |
| Accuracy | Human error, subjective | Automated, deterministic |
| Remediation Guidance | Generic recommendations | AWS-specific fix instructions |
| Integration | None | CI/CD pipelines, Slack, Jira |
| Reporting | PDF that sits in a drawer | JSON + Markdown, version-controlled |
HIPAA Sentinel operates in three phases:
flowchart TD
A[Phase 1: Initialize] --> B[Phase 2: Execute Controls]
B --> C[Phase 3: Generate Reports]
A --> A1[Load config.yaml]
A --> A2[Initialize AWS SDK]
A --> A3[Validate credentials]
B --> B1[Access Control Checks]
B --> B2[Audit Logging Checks]
B --> B3[Encryption Checks]
B --> B4[Network Security Checks]
C --> C1[Calculate Risk Scores]
C --> C2[Generate gap-report.json]
C --> C3[Generate executive-summary.md]
style A fill:#1e3a5f,color:#fff
style B fill:#1e3a5f,color:#fff
style C fill:#1e3a5f,color:#fff
hipaa-sentinel/
├── cmd/ # CLI entry point
│ └── main.go # Command-line interface
├── config/ # Configuration management
│ ├── config.go # Configuration loading and validation
│ └── mock.go # Mock configuration for testing
├── controls/ # Control execution packages
│ ├── controls.go # Core control execution logic
│ ├── accesscontrol/ # §164.312(a)(1) Access Control
│ │ ├── checker.go # Control checker implementation
│ │ └── mock.go # Mock AWS responses
│ ├── auditlogs/ # §164.312(b) Audit Controls
│ │ ├── checker.go # Control checker implementation
│ │ └── mock.go # Mock AWS responses
│ ├── encryption/ # §164.312(e)(2)(ii) Encryption
│ │ ├── checker.go # Control checker implementation
│ │ └── mock.go # Mock AWS responses
│ └── networksecurity/ # §164.312(e)(1) Network Security
│ ├── checker.go # Control checker implementation
│ └── mock.go # Mock AWS responses
├── reporters/ # Report generation
│ ├── reporters.go # Main reporter logic
│ ├── gapreport.go # JSON gap report generator
│ └── executive.go # Executive summary generator
├── reports/ # Generated reports
│ ├── gap-report.json # Detailed findings in JSON
│ └── executive-summary.md # Executive summary in Markdown
├── config.yaml # Configuration file
├── go.mod # Go module dependencies
└── README.md # This file
| Control ID | §164.312 Reference | What It Checks | AWS Service |
|---|---|---|---|
| AC-1 | §164.312(a)(1) | MFA enabled for IAM users | IAM |
| AC-2 | §164.312(a)(1) | IAM user permissions review | IAM |
| AC-3 | §164.312(a)(1) | Password policy compliance | IAM |
| AC-4 | §164.312(a)(1) | IAM role policies review | IAM |
| AL-1 | §164.312(b) | CloudTrail enabled for all regions | CloudTrail |
| AL-2 | §164.312(b) | CloudTrail multi-region logging | CloudTrail |
| AL-3 | §164.312(b) | Log file validation enabled | CloudTrail |
| AL-4 | §164.312(b) | CloudTrail KMS encryption | CloudTrail |
| EN-1 | §164.312(e)(2)(ii) | S3 bucket encryption at rest | S3 |
| EN-2 | §164.312(e)(2)(ii) | S3 bucket versioning | S3 |
| EN-3 | §164.312(e)(2)(ii) | RDS encryption at rest | RDS |
| EN-4 | §164.312(e)(2)(ii) | KMS key rotation | KMS |
| NS-1 | §164.312(e)(1) | VPC configuration | EC2/VPC |
| NS-2 | §164.312(e)(1) | Security group restrictions | EC2 |
| NS-3 | §164.312(e)(1) | RDS public access | RDS |
| NS-4 | §164.312(e)(1) | S3 public access blocks | S3 |
Each control category is weighted based on its impact to ePHI confidentiality, integrity, and availability:
pie
title Category Weight Distribution
"Access Control" : 30
"Audit Logging" : 25
"Encryption" : 25
"Network Security" : 20
Category Score = (Passing Controls ÷ Total Controls) × 100 × Category Weight
Overall Score = Sum of All Category Scores ÷ Sum of All Weights
Severity Mapping:
| Severity | Criteria | Action Required |
|---|---|---|
| 🔴 Critical | Direct ePHI exposure risk | Immediate fix (0–24 hours) |
| 🟠 High | Significant control gap | Fix within 30 days |
| 🟡 Medium | Moderate risk | Fix within 90 days |
| 🔵 Low | Best practice deviation | Address when convenient |
| Component | Technology |
|---|---|
| Language | Go 1.21+ |
| AWS SDK | AWS SDK for Go v2 |
| Configuration | YAML (no external dependencies) |
| Output Formats | JSON, Markdown |
| Build Target | Single static binary |
| Requirement | Specification |
|---|---|
| OS | Linux, macOS, Windows |
| Architecture | amd64, arm64 |
| Memory | 256 MB minimum |
| Disk | 50 MB |
| AWS Credentials | Read-only access (or use --dry-run) |
| Metric | Value |
|---|---|
| Execution Time | 30–60 seconds (16 controls) |
| Cold Start | ~2 seconds |
| Memory Usage | ~50 MB |
| API Calls | ~20–50 per run (varies by environment) |
HIPAA Sentinel is designed with read-only, least-privilege principles. The tool never modifies your infrastructure — it only reads configuration to assess compliance.
A security tool that modifies infrastructure is a liability. Here's why read-only is the right design:
- Trust boundary: You shouldn't need to trust a third-party tool with write access to your AWS environment
- Audit trail: Changes should go through your existing CI/CD and change management processes
- Accident prevention: A misconfigured tool could inadvertently expose data; read-only eliminates this risk
- Compliance: Many compliance frameworks require separation between assessment and enforcement
Click to expand minimum required IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "HIPAASentinelReadAccess",
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers",
"iam:ListRoles",
"iam:ListMFADevices",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"s3:GetBucketEncryption",
"s3:GetBucketVersioning",
"s3:GetPublicAccessBlock",
"s3:ListBuckets",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"kms:ListKeys",
"kms:GetKeyRotationStatus"
],
"Resource": "*"
}
]
}Engineering Commentary: This policy follows the principle of least privilege — it grants only the permissions required to read configuration state. Notice there's no Create*, Update*, or Delete* actions. This signals engineering maturity: we've thought carefully about what permissions are actually needed, not just grabbed AdministratorAccess and called it a day. A CISO reviewing this policy can verify the tool poses no risk to their environment.
Test the tool immediately without AWS credentials:
# Clone and build
git clone https://github.com/hipaa-sentinel/hipaa-sentinel.git
cd hipaa-sentinel
go build -o hipaa-sentinel ./cmd
# Run with mock data
./hipaa-sentinel --dry-runRun against your actual AWS environment:
# Configure your AWS credentials
aws configure
# Run the assessment
./hipaa-sentinel --config ./config.yaml
# Or with CLI flags
./hipaa-sentinel --region us-east-1 --output ./reports# hipaa-sentinel/config.yaml
# AWS Configuration
aws:
region: us-east-1
profile: default
# Output Configuration
output:
directory: ./reports
format: json
# Control Categories (include or exclude)
controls:
include:
- accesscontrol
- auditlogs
- encryption
- networksecurity
# Scoring Weights
weights:
accesscontrol: 30
auditlogs: 25
encryption: 25
networksecurity: 20
# Dry Run Mode (uses mock data)
dry_run: false
# Logging
logging:
level: info
verbose: false _ __ __ __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `t`/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
S E N T I N E L
AWS HIPAA Compliance Checker
==================================================
Starting HIPAA compliance assessment...
==================================================
HIPAA COMPLIANCE ASSESSMENT SUMMARY
==================================================
⚠️ Overall Score: 56.3%
⚠️ Status: NON-COMPLIANT
Control Results:
✓ Passed: 9
✗ Failed: 7
○ Skipped: 0
! Errors: 0
Findings by Severity:
🔴 Critical: 5
🟠 High: 1
🟡 Medium: 1
🔵 Low: 0
Category Scores:
Access Control: 75.0%
Audit Logs: 100.0%
Encryption: 25.0%
Network Security: 25.0%
Reports saved to: ./reports
- gap-report.json
- executive-summary.md
# HIPAA Compliance Executive Summary
**Assessment Date:** March 7, 2026
## Executive Overview
⚠️ **ACTION REQUIRED** - Your organization has security gaps that need attention
## Key Metrics
| Metric | Value |
|--------|-------|
| Overall Risk Score | 56% |
| Total Controls Checked | 16 |
| Controls Passing | 9 |
| Controls Needing Attention | 7 |
| Critical Issues | 5 |
| High Priority Issues | 1 |
## Recommended Next Steps
1. Address 5 critical security issues immediately to meet HIPAA requirements
2. Resolve 1 high-priority security gap within the next 30 days
3. Implement encryption for all data at rest and in transit
4. Review and restrict network access to prevent unauthorized data exposure
5. Strengthen access controls with multi-factor authentication for all usersname: HIPAA Compliance Gate
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
hipaa-compliance:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.21'
- name: Build HIPAA Sentinel
run: go build -o hipaa-sentinel ./cmd
- name: Run HIPAA Compliance Check
run: |
./hipaa-sentinel --dry-run --output ./reports
- name: Upload Gap Report
uses: actions/upload-artifact@v4
with:
name: hipaa-gap-report
path: reports/gap-report.json
- name: Upload Executive Summary
uses: actions/upload-artifact@v4
with:
name: hipaa-executive-summary
path: reports/executive-summary.md
- name: Check for Critical Findings
run: |
CRITICAL=$(grep -c '"severity": "Critical"' reports/gap-report.json || true)
if [ "$CRITICAL" -gt 0 ]; then
echo "❌ HIPAA Sentinel blocked deployment: $CRITICAL critical findings"
cat reports/executive-summary.md
exit 1
fi
echo "✅ No critical HIPAA findings"| Threshold | Action | Use Case |
|---|---|---|
| Critical Findings > 0 | Block deployment | Immediate HIPAA violation |
| High Findings > 0 | Warn and require approval | Significant security gap |
| Overall Score < 70% | Block deployment | Overall poor compliance posture |
| Version | Feature | Status | Business Value |
|---|---|---|---|
| v1.0 | Core 16 HIPAA controls | ✅ Complete | Automated compliance checking |
| v1.1 | JSON report generation | ✅ Complete | Machine-readable output |
| v1.2 | Executive summary report | ✅ Complete | Leadership-readable output |
| v1.3 | Dry-run mode with mocks | ✅ Complete | Testing without AWS credentials |
| v1.4 | Configurable scoring weights | ✅ Complete | Customizable risk prioritization |
| v1.5 | CI/CD integration templates | ✅ Complete | Deployment pipeline integration |
| v1.6 | Multi-region AWS support | ✅ Complete | Global AWS environment support |
| v1.7 | Verbose logging mode | ✅ Complete | Debugging and troubleshooting |
| v2.0 | Real-time Slack notifications | 🟡 Planned | Immediate compliance alerts |
| v2.0 | Jira integration | 🟡 Planned | Automated ticket creation |
| v2.0 | SOC 2 controls | 🟡 Planned | Expanded compliance coverage |
| v2.0 | PDF report generation | 🟡 Planned | Formal audit documentation |
| Name | David Gawk |
| Role | Backend Engineer → GRC & Cloud Security |
| Location | British Columbia, Canada (Remote-First) |
| Background | Building production systems for 10+ years, now deliberately transitioning into Governance, Risk, and Compliance (GRC) with a security engineering focus |
| Philosophy | I can implement a compliance control in Go AND explain it to a CISO in plain English |
| Category | Technologies |
|---|---|
| Languages | Go, Python, TypeScript |
| Cloud | AWS (primary), GCP, Azure |
| Infrastructure | Terraform, CloudFormation, Kubernetes |
| Security | AWS Security Hub, GuardDuty, Config Rules |
| Compliance | HIPAA, SOC 2, PCI-DSS |
| Certifications In Progress | AWS Security Specialty, Certified Information Security Manager (CISM) |
I built HIPAA Sentinel because I believe engineers who build systems should be the same engineers who verify they're secure. Compliance isn't a checkbox — it's a continuous practice.
HIPAA Sentinel is a tool, not legal advice.
This tool helps you assess technical controls against the HIPAA Security Rule, but it does not guarantee HIPAA compliance. HIPAA compliance involves administrative, physical, and technical safeguards, as well as business associate agreements, policies, procedures, and ongoing risk analysis.
Always consult with a qualified HIPAA compliance professional or legal counsel for official compliance assessments. The authors and contributors of this project accept no liability for decisions made based on this tool's output.
MIT License — See LICENSE for full text.